[Snort-users] Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability

Pawel Rogocz pawel at ...5803...
Fri Jul 18 02:08:14 EDT 2003


Yeah right, let's alert on all UDP packets :-)

According to Cisco 

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

it is protocol 77 not 17.



Pawel

On Thu, Jul 17, 2003 at 05:46:22PM -0700, Matt Ploessel wrote:
> 
> In the Foundstone web seminar today covering the details of the Cisco
> IOS vulnerability released this morning, some users asked for snort
> rules to detect potential Cisco DoS attempts. The simple rule below
> should do the job. Tomorrow morning Foundstone will have a follow-up
> seminar covering new information and our current findings. I am
> interested to track the presence of malicious scanning of this
> vulnerability in the wild. For those who apply the below rules, please
> attempt to share sanitized information (number of  detections and size
> of IP space covered by your IDS) with me so statistics of the
> vulnerability presence can be generated based on a larger consensus.
> 
> Thank You.
> 
> Information on the Foundstone web seminar:
> http://www.foundstone.com/company/pressrelease_template.htm?indexid=79
> 
> Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability 
> 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
> classtype:attempted-dos; ip_proto 53;) 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
> classtype:attempted-dos; ip_proto 55;) 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
> classtype:attempted-dos; ip_proto 17;) 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
> classtype:attempted-dos; ip_proto 103;) 
> 
> ...
> 
> Matt Ploessel
> Network Security Engineer
> Foundstone, Inc.
> Strategic Security
> 
> 949.297.5622 Tel 
> 949.297.5575 Fax 
> 
> http://www.foundstone.com
> 
> PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914
> 
> This email may contain confidential and privileged information for the
> sole use of the intended recipient. Content disclosure to third parties
> is strictly prohibited. Verify sender and message body authenticity
> against the above PGP key only, retrieved via a secure and dependable
> method. Thank you.
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listort-users

-- 




More information about the Snort-users mailing list